diff options
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/ci/bridge_policy_spec.rb | 2 | ||||
| -rw-r--r-- | spec/policies/ci/build_policy_spec.rb | 29 | ||||
| -rw-r--r-- | spec/policies/deploy_key_policy_spec.rb | 100 | ||||
| -rw-r--r-- | spec/policies/metrics/dashboard/annotation_policy_spec.rb | 67 | ||||
| -rw-r--r-- | spec/policies/organizations/organization_policy_spec.rb | 18 | ||||
| -rw-r--r-- | spec/policies/packages/policies/project_policy_spec.rb | 25 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 66 | ||||
| -rw-r--r-- | spec/policies/work_item_policy_spec.rb | 22 |
8 files changed, 196 insertions, 133 deletions
diff --git a/spec/policies/ci/bridge_policy_spec.rb b/spec/policies/ci/bridge_policy_spec.rb index e598e2f7626..d23355b4c1e 100644 --- a/spec/policies/ci/bridge_policy_spec.rb +++ b/spec/policies/ci/bridge_policy_spec.rb @@ -13,6 +13,8 @@ RSpec.describe Ci::BridgePolicy do described_class.new(user, bridge) end + it_behaves_like 'a deployable job policy', :ci_bridge + describe '#play_job' do before do fake_access = double('Gitlab::UserAccess') diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index ec3b3fde719..6ab89daff82 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Ci::BuildPolicy do +RSpec.describe Ci::BuildPolicy, feature_category: :continuous_integration do let(:user) { create(:user) } let(:build) { create(:ci_build, pipeline: pipeline) } let(:pipeline) { create(:ci_empty_pipeline, project: project) } @@ -11,6 +11,8 @@ RSpec.describe Ci::BuildPolicy do described_class.new(user, build) end + it_behaves_like 'a deployable job policy', :ci_build + shared_context 'public pipelines disabled' do before do project.update_attribute(:public_builds, false) @@ -99,12 +101,15 @@ RSpec.describe Ci::BuildPolicy do context 'when maintainer is allowed to push to pipeline branch' do let(:project) { create(:project, :public) } - let(:owner) { user } - it 'enables update_build if user is maintainer' do - allow_any_instance_of(Project).to receive(:empty_repo?).and_return(false) - allow_any_instance_of(Project).to receive(:branch_allows_collaboration?).and_return(true) + before do + project.add_maintainer(user) + allow(project).to receive(:empty_repo?).and_return(false) + allow(project).to receive(:branch_allows_collaboration?).and_return(true) + end + + it 'enables update_build if user is maintainer' do expect(policy).to be_allowed :update_build expect(policy).to be_allowed :update_commit_status end @@ -127,6 +132,16 @@ RSpec.describe Ci::BuildPolicy do it 'does not include ability to update build' do expect(policy).to be_disallowed :update_build end + + context 'when the user is admin', :enable_admin_mode do + before do + user.update!(admin: true) + end + + it 'does not include ability to update build' do + expect(policy).to be_disallowed :update_build + end + end end context 'when developers can push to the branch' do @@ -252,7 +267,7 @@ RSpec.describe Ci::BuildPolicy do create(:protected_branch, :developers_can_push, name: build.ref, project: project) end - it { expect(policy).to be_allowed :erase_build } + it { expect(policy).to be_disallowed :erase_build } end context 'when the build was created for a protected tag' do @@ -262,7 +277,7 @@ RSpec.describe Ci::BuildPolicy do build.update!(tag: true) end - it { expect(policy).to be_allowed :erase_build } + it { expect(policy).to be_disallowed :erase_build } end context 'when the build was created for an unprotected ref' do diff --git a/spec/policies/deploy_key_policy_spec.rb b/spec/policies/deploy_key_policy_spec.rb index d84b80a8738..754f36ce3b0 100644 --- a/spec/policies/deploy_key_policy_spec.rb +++ b/spec/policies/deploy_key_policy_spec.rb @@ -2,69 +2,89 @@ require 'spec_helper' -RSpec.describe DeployKeyPolicy do +RSpec.describe DeployKeyPolicy, feature_category: :groups_and_projects do subject { described_class.new(current_user, deploy_key) } - describe 'updating a deploy_key' do - context 'when a regular user' do - let(:current_user) { create(:user) } + let_it_be(:current_user, refind: true) { create(:user) } + let_it_be(:admin) { create(:user, :admin) } - context 'tries to update private deploy key attached to project' do - let(:deploy_key) { create(:deploy_key, public: false) } - let(:project) { create(:project_empty_repo) } + context 'when deploy key is public' do + let_it_be(:deploy_key) { create(:deploy_key, public: true) } - before do - project.add_maintainer(current_user) - project.deploy_keys << deploy_key - end + context 'and current_user is nil' do + let(:current_user) { nil } - it { is_expected.to be_allowed(:update_deploy_key) } - end + it { is_expected.to be_disallowed(:read_deploy_key) } + + it { is_expected.to be_disallowed(:update_deploy_key) } + end - context 'tries to update private deploy key attached to other project' do - let(:deploy_key) { create(:deploy_key, public: false) } - let(:other_project) { create(:project_empty_repo) } + context 'and current_user is present' do + it { is_expected.to be_allowed(:read_deploy_key) } - before do - other_project.deploy_keys << deploy_key - end + it { is_expected.to be_disallowed(:update_deploy_key) } + end - it { is_expected.to be_disallowed(:update_deploy_key) } + context 'when current_user is admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_deploy_key) } + + it { is_expected.to be_allowed(:update_deploy_key) } end - context 'tries to update public deploy key' do - let(:deploy_key) { create(:another_deploy_key, public: true) } + context 'when admin mode disabled' do + it { is_expected.to be_allowed(:read_deploy_key) } it { is_expected.to be_disallowed(:update_deploy_key) } end end + end + + context 'when deploy key is private' do + let_it_be(:deploy_key) { create(:deploy_key, :private) } + + context 'and current_user is nil' do + let(:current_user) { nil } - context 'when an admin user' do - let(:current_user) { create(:user, :admin) } + it { is_expected.to be_disallowed(:read_deploy_key) } - context 'tries to update private deploy key' do - let(:deploy_key) { create(:deploy_key, public: false) } + it { is_expected.to be_disallowed(:update_deploy_key) } + end + + context 'when current_user is admin' do + let(:current_user) { admin } - context 'when admin mode enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:update_deploy_key) } - end + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_deploy_key) } - context 'when admin mode disabled' do - it { is_expected.to be_disallowed(:update_deploy_key) } - end + it { is_expected.to be_allowed(:update_deploy_key) } end - context 'when an admin user tries to update public deploy key' do - let(:deploy_key) { create(:another_deploy_key, public: true) } + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:read_deploy_key) } + + it { is_expected.to be_disallowed(:update_deploy_key) } + end + end - context 'when admin mode enabled', :enable_admin_mode do - it { is_expected.to be_allowed(:update_deploy_key) } - end + context 'when assigned to the project' do + let_it_be(:deploy_keys_project) { create(:deploy_keys_project, deploy_key: deploy_key) } - context 'when admin mode disabled' do - it { is_expected.to be_disallowed(:update_deploy_key) } - end + before_all do + deploy_keys_project.project.add_maintainer(current_user) end + + it { is_expected.to be_allowed(:read_deploy_key) } + + it { is_expected.to be_allowed(:update_deploy_key) } + end + + context 'when assigned to another project' do + it { is_expected.to be_disallowed(:read_deploy_key) } + + it { is_expected.to be_disallowed(:update_deploy_key) } end end end diff --git a/spec/policies/metrics/dashboard/annotation_policy_spec.rb b/spec/policies/metrics/dashboard/annotation_policy_spec.rb deleted file mode 100644 index 2d1ef0ee0cb..00000000000 --- a/spec/policies/metrics/dashboard/annotation_policy_spec.rb +++ /dev/null @@ -1,67 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Metrics::Dashboard::AnnotationPolicy, :models do - let(:policy) { described_class.new(user, annotation) } - - let_it_be(:user) { create(:user) } - - shared_examples 'metrics dashboard annotation policy' do - context 'when guest' do - before do - project.add_guest(user) - end - - it { expect(policy).to be_disallowed :read_metrics_dashboard_annotation } - it { expect(policy).to be_disallowed :admin_metrics_dashboard_annotation } - end - - context 'when reporter' do - before do - project.add_reporter(user) - end - - it { expect(policy).to be_allowed :read_metrics_dashboard_annotation } - it { expect(policy).to be_disallowed :admin_metrics_dashboard_annotation } - end - - context 'when developer' do - before do - project.add_developer(user) - end - - it { expect(policy).to be_allowed :read_metrics_dashboard_annotation } - it { expect(policy).to be_allowed :admin_metrics_dashboard_annotation } - end - - context 'when maintainer' do - before do - project.add_maintainer(user) - end - - it { expect(policy).to be_allowed :read_metrics_dashboard_annotation } - it { expect(policy).to be_allowed :admin_metrics_dashboard_annotation } - end - end - - describe 'rules' do - context 'environments annotation' do - let_it_be(:environment) { create(:environment) } - let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: environment) } - - it_behaves_like 'metrics dashboard annotation policy' do - let(:project) { environment.project } - end - end - - context 'cluster annotation' do - let_it_be(:cluster) { create(:cluster, :project) } - let_it_be(:annotation) { create(:metrics_dashboard_annotation, environment: nil, cluster: cluster) } - - it_behaves_like 'metrics dashboard annotation policy' do - let(:project) { cluster.project } - end - end - end -end diff --git a/spec/policies/organizations/organization_policy_spec.rb b/spec/policies/organizations/organization_policy_spec.rb index 52d5a41aa7f..e51362227c9 100644 --- a/spec/policies/organizations/organization_policy_spec.rb +++ b/spec/policies/organizations/organization_policy_spec.rb @@ -7,21 +7,33 @@ RSpec.describe Organizations::OrganizationPolicy, feature_category: :cell do subject(:policy) { described_class.new(current_user, organization) } + context 'when the user is anonymous' do + let_it_be(:current_user) { nil } + + it { is_expected.to be_allowed(:read_organization) } + end + context 'when the user is an admin' do let_it_be(:current_user) { create(:user, :admin) } context 'when admin mode is enabled', :enable_admin_mode do it { is_expected.to be_allowed(:admin_organization) } + it { is_expected.to be_allowed(:read_organization) } end context 'when admin mode is disabled' do it { is_expected.to be_disallowed(:admin_organization) } + it { is_expected.to be_allowed(:read_organization) } end end - context 'when the user is not an admin' do - let_it_be(:current_user) { create(:user) } + context 'when the user is an organization user' do + let_it_be(:current_user) { create :user } + + before do + create :organization_user, organization: organization, user: current_user + end - it { is_expected.to be_disallowed(:admin_organization) } + it { is_expected.to be_allowed(:read_organization) } end end diff --git a/spec/policies/packages/policies/project_policy_spec.rb b/spec/policies/packages/policies/project_policy_spec.rb index 5c267ff5ac5..fde10f64be8 100644 --- a/spec/policies/packages/policies/project_policy_spec.rb +++ b/spec/policies/packages/policies/project_policy_spec.rb @@ -127,5 +127,30 @@ RSpec.describe Packages::Policies::ProjectPolicy do it_behaves_like 'package access with repository disabled' end + + context 'with package_registry_allow_anyone_to_pull_option disabled' do + where(:project, :expect_to_be_allowed) do + ref(:private_project) | false + ref(:internal_project) | false + ref(:public_project) | true + end + + with_them do + let(:current_user) { anonymous } + + before do + stub_application_setting(package_registry_allow_anyone_to_pull_option: false) + project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC) + end + + it do + if expect_to_be_allowed + is_expected.to be_allowed(:read_package) + else + is_expected.to be_disallowed(:read_package) + end + end + end + end end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 602b7148d0e..2854d6daece 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2736,26 +2736,62 @@ RSpec.describe ProjectPolicy, feature_category: :system_access do expect_allowed(:build_read_container_image) end end + end + + context 'with external guest users' do + where(:project_visibility, :access_level, :allowed) do + :public | ProjectFeature::ENABLED | true + :public | ProjectFeature::PRIVATE | false + :public | ProjectFeature::DISABLED | false + + :internal | ProjectFeature::ENABLED | true + :internal | ProjectFeature::PRIVATE | false + :internal | ProjectFeature::DISABLED | false + + :private | ProjectFeature::ENABLED | false + :private | ProjectFeature::PRIVATE | false + :private | ProjectFeature::DISABLED | false + end + + with_them do + let(:current_user) { guest } + let(:project) { send("#{project_visibility}_project") } + + before do + project.project_feature.update!(container_registry_access_level: access_level) + current_user.update_column(:external, true) + end - def permissions_abilities(role) - case role - when :admin - if project_visibility == :private || access_level == ProjectFeature::PRIVATE - maintainer_operations_permissions - admin_excluded_permissions + it 'allows/disallows the abilities based on the container_registry feature access level' do + if allowed + expect_allowed(*permissions_abilities(:guest)) + expect_disallowed(*(all_permissions - permissions_abilities(:guest))) else - maintainer_operations_permissions + expect_disallowed(*all_permissions) end - when :maintainer, :owner - maintainer_operations_permissions - when :developer - developer_operations_permissions - when :reporter, :guest - guest_operations_permissions - when :anonymous - anonymous_operations_permissions + end + end + end + + # Overrides `permissions_abilities` defined below to be suitable for container_image policies + def permissions_abilities(role) + case role + when :admin + if project_visibility == :private || access_level == ProjectFeature::PRIVATE + maintainer_operations_permissions - admin_excluded_permissions else - raise "Unknown role #{role}" + maintainer_operations_permissions end + when :maintainer, :owner + maintainer_operations_permissions + when :developer + developer_operations_permissions + when :reporter, :guest + guest_operations_permissions + when :anonymous + anonymous_operations_permissions + else + raise "Unknown role #{role}" end end end diff --git a/spec/policies/work_item_policy_spec.rb b/spec/policies/work_item_policy_spec.rb index 3d282271d60..bd8f5604eba 100644 --- a/spec/policies/work_item_policy_spec.rb +++ b/spec/policies/work_item_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe WorkItemPolicy do +RSpec.describe WorkItemPolicy, feature_category: :team_planning do let_it_be(:group) { create(:group) } let_it_be(:project) { create(:project, group: group) } let_it_be(:public_project) { create(:project, :public, group: group) } @@ -201,4 +201,24 @@ RSpec.describe WorkItemPolicy do end end end + + describe 'admin_work_item_link' do + context 'when user is not a member of the project' do + let(:current_user) { non_member_user } + + it { is_expected.to be_disallowed(:admin_work_item_link) } + end + + context 'when user is guest' do + let(:current_user) { guest } + + it { is_expected.to be_allowed(:admin_work_item_link) } + end + + context 'when user is reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:admin_work_item_link) } + end + end end |